QID 379586

GitLab Inc. is an open-core company that operates GitLab, a DevOps software package which can develop, secure, and operate software

CVE-2023-5207: Attacker can add other projects policy bot as member to their own project and use that bot to trigger pipelines in victims project
CVE-2023-5106: Group import allows impersonation of users in CI pipelines
CVE-2023-4379: Developers can bypass code owners approval by changing a MR's base branch
CVE-2023-3413: Leaking source code of restricted project through a fork
CVE-2023-5332: Third party library Consul requires enable-script-checks to be False to enable patch
CVE-2023-3914: Service account not deleted when namespace is deleted allowing access to internal projects
CVE-2023-3115: Enforce SSO settings bypassed for public projects for Members without identity
CVE-2023-5198: Removed project member can write to protected branches
CVE-2023-4532: Unauthorised association of CI jobs for Machine Learning experiments
CVE-2023-3917: Force pipelines to not have access to protected variables and will likely fail using tags
CVE-2023-3920: Maintainer can create a fork relationship between existing projects
CVE-2023-0989: Disclosure of masked CI variables via processing CI/CD configuration of forks
CVE-2023-3906: Asset Proxy Bypass using non-ASCII character in asset URI
CVE-2023-4658: Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches
CVE-2023-3979: Removed Developer can continue editing the source code of a public project
CVE-2023-2233: A project reporter can leak owner's Sentry instance projects
CVE-2023-3922: Math rendering in markdown can escape container and hijack clicks

Affected Versions:
16.4.0, 16.3.0, 16.3.1, 16.3.2, 16.3.3, 16.3.4, 16.2.0, 16.2.1, 16.2.2, 16.2.3, 16.2.4, 16.2.5, 16.2.6, 16.2.7, and below

QID Detection Logic (Authenticated):(Linux)
The QID checks the contents of /opt/gitlab/version-manifest.txt to check the vulnerable version of GitLab.

Successful exploitation of the vulnerability may lead to Attacker can add other projects policy bot as member to their own project and use that bot to trigger pipelines in victims project, Group import allows impersonation of users in CI pipelines, Developers can bypass code owners approval by changing a MR's base branch, Leaking source code of restricted project through a fork, Third party library Consul requires enable-script-checks to be False to enable patch, Service account not deleted when namespace is deleted allowing access to internal projects, Enforce SSO settings bypassed for public projects for Members without identity, Removed project member can write to protected branches, Unauthorised association of CI jobs for Machine Learning experiments, Force pipelines to not have access to protected variables and will likely fail using tags, Maintainer can create a fork relationship between existing projects, Disclosure of masked CI variables via processing CI/CD configuration of forks, Asset Proxy Bypass using non-ASCII character in asset URI, Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches, Removed Developer can continue editing the source code of a public project, A project reporter can leak owner's Sentry instance projects, Math rendering in markdown can escape container and hijack clicks